Associating Pre-Shared Keys with Client Devices Based on Message Integrity Check Values

1. A method comprising: accessing a first message sent from an access point device, wherein the first message comprises data representing a second message sent by a client device, wherein: the second message is part of an exchange of messages between the client device and the access point device associated with authentication of the client device and a derivation of a first key used to encrypt and decrypt data communicated between the client device and the access point device; and the second message comprises a first message integrity check value; identifying, based on the second message, a pre-shared key corresponding to the client device, wherein identifying the pre-shared key comprises: determining a second message integrity check value based on: a candidate pre-shared key of a plurality of candidate pre-shared keys; a content of the second message; and a length of the second message; comparing the second message integrity check value with the first message integrity check value; and based on a result of the comparison, selecting the given candidate pre-shared key as the pre-shared key; determining a user role based on the pre-shared key; and causing a third message to be sent to the access point device, wherein the third message comprises data representing the pre-shared key and data representing the user role.

2. The method of claim 1, wherein identifying the pre-shared key further comprises: applying a first key derivation function to determine, for each candidate pre-shared key of the plurality of candidate pre-shared keys, a candidate pre-shared master key based on the candidate pre-shared key to provide a plurality of candidate pre-shared master keys; and determine the second message integrity check value based on a given candidate pre-shared master key of the plurality of candidate pre-shared master keys.

3. The method of claim 2, wherein identifying the pre-shared key further comprises: apply a second key derivation function to determine, for the given candidate pre-shared master key, a pairwise temporal key; and determine the second message integrity check value based on the pairwise temporal key.

4. The method of claim 3, wherein: the pairwise temporal key comprises a key confirmation key; and identifying the pre-shared key further comprises determining the second message integrity check value based on the key confirmation key.

5. The method of claim 1, wherein identifying the pre-shared key further comprises: applying a cryptographic hash function to the content of the second message and the candidate pre-shared key to provide a hash value representing the second message integrity check value; comparing the hash value with the first message integrity check value; and based on the result of the comparison of the hash value with the first message integrity check value, selecting the given candidate pre-shared key as the pre-shared key.

6. The method of claim 1, wherein identifying the pre-shared key further comprises: identifying the plurality of candidate pre-shared keys based on a media access control (MAC) address of the access point device.

7. An apparatus comprising: a hardware processor; and a memory to store instructions, that, when executed by the hardware processor, cause the hardware processor to: access a first message sent from an access point device, wherein the first message comprises data representing a second message sent by a client device, wherein: the second message is part of an exchange of messages between the client device and the access point device associated with authentication of the client device and a derivation of a first key used to encrypt and decrypt data communicated between the client device and the access point device; and the second message comprises a first message integrity check value; identify, based on the second message, a pre-shared key corresponding to the client device, wherein identifying the pre-shared key comprises: determining a second message integrity check value based on: a candidate pre-shared key of a plurality of candidate pre-shared keys; a content of the second message; and a length of the second message; comparing the second message integrity check value with the first message integrity check value; and based on a result of the comparison, selecting the given candidate pre-shared key as the pre-shared key; determine a user role based on the pre-shared key; and cause a third message to be sent to the access point device, wherein the third message comprises data representing the pre-shared key and data representing the user role.

8. The apparatus of claim 7, wherein: the first message comprises an identifier for the access point device; and the instructions, when executed by the hardware processor, further cause the hardware processor to identify the plurality of candidate pre-shared keys based on the identifier for the access point device.

9. The apparatus of claim 7, wherein the instructions, when executed by the hardware processor, further cause the hardware processor to: apply a cryptographic hash function to the content of the second message and the candidate pre-shared key to provide a hash value representing the second message integrity check value; compare the hash value with the first message integrity check value; and based on the result of the comparison of the hash value with the first message integrity check value, select the given candidate pre-shared key as the pre-shared key.

10. The apparatus of claim 7, wherein the instructions, when executed by the hardware processor, further cause the hardware processor to: determine a candidate pre-shared master key based on the given candidate pre-shared key; and determine the second message integrity check value based on the candidate pre-shared master key.

11. The apparatus of claim 10, wherein the instructions, when executed by the hardware processor, further cause the hardware processor to: determine a candidate pairwise transient key based on the candidate pre-shared master key; and determine the second message integrity check value based on the candidate pairwise transient key.

12. The apparatus of claim 11, wherein the instructions, when executed by the hardware processor, further cause the hardware processor to determine the candidate pairwise transient key based on a wireless network identifier.

13. The apparatus of claim 7, wherein the instructions, when executed by the hardware processor, further cause the hardware processor to select the plurality of candidate pre-shared keys based on a media access control (MAC) address corresponding to the access point device.

14. The apparatus of claim 7, wherein the first message corresponds to a request to authorize the client device to access a network, and the third message corresponds to the request being granted.

15. A non-transitory machine-readable storage medium that stores machine-readable instructions that, when executed by a machine, cause the machine to: receive, from an access point device, an authorization request message, wherein the authorization request message corresponds to an authorization for a client device to access a network via the access point device, the authorization message comprising data representing a second message sent by the client device, and a content of the second message containing a message content cryptographically bound, via a first message integrity check value, to a first pre-shared key; access a directory comprising a plurality of candidate pre-shared keys; based on the message content, identify a given candidate pre-shared key of the plurality candidate pre-shared keys as being the first pre-shared key, wherein identifying the given candidate pre-shared key comprises: determining a second message integrity check value based on; a candidate pre-shared key of a plurality of candidate pre-shared keys; a content of the second message; and a length of the second message; comparing the second message integrity check value with the first message integrity check value; and based on a result of the comparison, selecting the given candidate pre-shared key as the first pre-shared key; determine a user role based on the first pre-shared key; and send, to the access point device, an authorization acceptance message to allow the client device to access the network, wherein the authorization acceptance message comprises data representing the first pre-shared key and data representing the user role.

16. The non-transitory machine-readable storage medium of claim 15, wherein the instructions, when executed by the machine, further cause the machine to: apply a first key derivation function to determine, for each candidate pre-shared key of the plurality of candidate pre-shared keys, a candidate pre-shared master key based on the candidate pre-shared key to provide a plurality of candidate pre-shared master keys; and determine the second message integrity check value based on a given candidate pre-shared master key of the plurality of candidate pre-shared master keys.

17. The non-transitory machine-readable storage medium of claim 16, wherein the instructions, when executed by the machine, further cause the machine to: apply a second key derivation function to determine, for the given candidate pre-shared master key, a pairwise temporal key; and determine the second message integrity check value based on the pairwise temporal key.

18. The non-transitory machine-readable storage medium of claim 17, wherein the pairwise temporal key comprises a key confirmation key, and the instructions, when executed by the machine, further cause the machine to determine the second message integrity check value based on the key confirmation key.

19. The non-transitory machine-readable storage medium of claim 15, wherein the instructions, when executed by the machine, further cause the machine to identify the plurality of candidate pre-shared keys based on a media access control (MAC) address of the access point device.